@@ -376,6 +376,20 @@ The adversary can perform the following attacks from a number of possible positi
...
@@ -376,6 +376,20 @@ The adversary can perform the following attacks from a number of possible positi
- Guard relays or upstream routers
- Guard relays or upstream routers
- Release infrastructure
- Release infrastructure
An adversary may develop exploit chains targeting vulnerabilities in the browser or the operating system to install malware and surveillance software.
For example, an adversary running a website may serve users with JavaScript capable of breaking out of the browser's sandbox.
They could also serve specially crafted files (such as images or documents) which exploit bugs in parser or rendering implementations found on user's systems.
Adversaries running exit relays may inject such exploits into unencrypted data streams, while adversaries running guard relays may target the tor daemon itself using specially crafted messages which take advantage of undefined behaviour granting arbitrary code-execution.
An adversary may also target release infrastructure to potentially compromise browser releases themselves.
For example, an adversary may compromise the source code of a library which the browser depends on, resulting in malware being built and shipped in official browser releases.
An adversary may compromise build or release infrastructure resulting in back-doors being inserted into official browser releases.
An adversary may compromise update servers, allowing them to ship compromised browser updates to users.
An adversary may infiltrate the project itself and apply their own malicious patches during the browser release process.
